Skip links

Biden signs cybercrime tracking bill into law

US President Joe Biden has signed into law a bill that aims to improve how the federal government tracks and prosecutes cybercrime.

The Better Cybercrime Metrics Act, which Biden signed late last week, requires the Department of Justice to work with the National Academy of Sciences to develop a taxonomy that law enforcement can use to categorize different types of cybercrime. 

It also gives the Department of Justice two years to establish a category in the National Incident-Based Reporting System for the collection of cybercrime reports from federal, state, and local officials. 

Additionally, it requires the Government Accountability Office to report on the effectiveness of existing cybercrime mechanisms and highlight disparities in reporting cybercrime data versus other types of crime data. 

And it requires the National Crime Victimization Survey to add questions related to cybercrime in its surveys.

A bipartisan majority of the US House voted to pass the legislation in March, and the Senate passed the companion bill in December 2021.

Government agencies, including the FBI’s Internet Crime Complaint Center (IC3), already track and report cybercrime metrics, and by its accounts these types of crimes cost victims billions of dollars every year.

In its most recent IC3 report, the bureau said 2021 set records for the total number of complaints (847,376) as well as losses exceeding $6.9 billion, a jump from the $4.2 billion reported a year earlier.

Still, proponents of the law say the large majority of cybercrimes are not reported or tracked. At least one estimate puts IC3’s incident collection at about one in 90 of all cybercrimes committed.

Better cybercrime tracking at the federal level will help law enforcement identify threats and prevent attacks, said House Rep Abigail Spanberger (D-VA), who co-authored the bill.

“As cybercriminals increasingly adapt their methods of attack against vulnerable people and networks, the United States must improve our cybercrime classification system,” she said in a canned statement. “Otherwise, we are risking the safety and privacy of American families, homes, businesses, and government agencies.” 

Washington’s push to improve cybersecurity reporting

The law is part of a larger push by the Feds to improve cybersecurity incident reporting, and comes amid the growing threat from Russia as Putin’s war against Ukraine grinds on.

In March, Biden signed the Strengthening American Cybersecurity Act of 2022 into law, which requires critical infrastructure owners and operators to report cyberattacks within 72 hours. 

That same month, the SEC proposed a rule that would force public companies to disclose cyberattacks within four days along with periodic reports about their cyber-risk management plans.

Additionally, the Department of Homeland Security in February established a public-private Cyber Safety Review Board to review “significant” cybersecurity events and help government and the private sector better protect US networks and infrastructure. 

All of these efforts move America toward a more holistic view of cybersecurity and will help prevent future attacks, Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance, told The Register.

“One of the biggest revelations over the past 24 months in particular is how integral collaboration and cohesion are to cybersecurity success. And unfortunately, because the government has relied on a fragmented approach to cybersecurity for so long, it is virtually impossible to get visibility into not just current cybersecurity issues — public and private — but to get a cohesive view of the data and insights necessary to assess previous incidents that have cropped up as well,” Plaggemier said. 

“Now granted, for many outside of the cybersecurity industry the Better Cybercrime Metrics Act may not be earth shattering,” she continued. “However, if all goes according to plan, the BCMA — alongside other recently announced initiatives like DHS’s cyber review board — will lay pivotal foundational blocks that have been missing from the government’s cybersecurity infrastructure for too long and will allow the government to be more agile in its future cybersecurity efforts.” ®